Interesting phenomenom with Windows Server 2008 R2 user access controls and NTFS ACLs

Posted by Simon Catlin on Server Fault See other posts from Server Fault or by Simon Catlin
Published on 2012-09-04T20:50:59Z Indexed on 2012/09/04 21:40 UTC
Read the original article Hit count: 275

One to try, and I'd appreciate any thoughts on this.

On a Windows Server 2008 R2 box (or presumably 2008 R1, Windows Vista or Windows 7):

i) Logon as an administrator, and create a new NTFS volume

ii) Blow away the standard MS ACLS on the root of the volume (which are laughable), and replace with Administrators:Full Control, System:Full Control, e.g.:

echo Y|cacls.exe d:\ /g "Administrators:F" "SYSTEM:F"

iii) Now, from a Command Prompt shell window or PowerShell window, switch to that drive (cd /d D:\ or set-location D:\ ). Works fine... no issues.

iv) Now, try to browse to the root of the new volume using MS Explorer... Access denied.

Now, I've kind of convinced myself that it is UAC getting in the way, as you can add "Authenticated Users:List" access to D:\ and Explorer then works. I can only assume that MS Explorer isn't able to use the "admin" token for the Administrator. Browsing to explorer.exe and doing a "Run as administrator" has no effect.

Any thoughts?

Cheers in advance.

© Server Fault or respective owner

Related posts about windows-server-2008

Related posts about ntfs